Re: tls-program

[Daniel Pittman <daniel@rimspace.net>]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:
> Sebastian Krause <sebastian@realpath.org> writes:
>
>> Since I can imagine that the native TLS in Emacs 24 will probably be based
>> on GnuTLS as well (just guessing), it might be worth trying to find out
>> what's going wrong here. What happens when you try to directly connect to
>> the servers from the shell, e.g. with "gnutls-cli -p 993 imap.example.com"?
>
> Excellent point.
>
> It turns out that gnutls-cli terminates with:
>
> - The hostname in the certificate does NOT match '<host name>'
>
> So the IMAP servers have certificates that don't match their names.  I'm
> guessing that that's common?  Adding --insecure fixes this.

Probably reasonably, outside the nicer parts of the world.

> So...  what would be the nicest behaviour here?  Adding --insecure would
> probably not be nice.  But not nice to not work, either.
>
> Hang on.  Why does the openssh thing work if the certificate isn't
> valid?
>
> Ah.  It says
>
>     Verify return code: 10 (certificate has expired)
>
> and then continues merrily on.  So gnutls-cli defaults to secure, while
> openssl defaults to insecure?  That seems inconsistent.  So perhaps
> adding --insecure is the right thing, after all?

I would be inclined to do that, from a UI point of view, but it is rather
nasty.  A better approach might be to force them explicitly to secure[1],
detect the appropriate warnings, and either prompt the user, or educate them
about what has to happen?

        Daniel

Footnotes: 
[1]  Against gnutls getting a global config file and the admin changing it,
     for example.

-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons